关于启发 的口水太多了,但是什么才是启发?

虚无名

启发还是不足以防住病毒

LiZhen

NOD32和蜘蛛比,谁的启发更强?

悠柚

很难比较，不同厂商有不同的比较方法

把特征代码,整成了特征逻辑/行为
病毒库---------------->启发了

woai_jolin

From Eset
Heuristic analysis

Heuristic analysis is a solution to the problem of differentiating virus infiltration from a clean code. It is done by means of an inductive process using inbuilt previous experiences and anti-virus expert knowledge. The program analyses the instructions contained in the code of the object being followed simulates their effects and on the basis of their response it judges the possible closeness to a response typical for viruses. It evaluates the found facts and, if it decides to identify the file as infected, it will prepare a simple characteristic of the attacking file. The characteristic uses the following words to describe a virus:

STEALTH – it uses Stealth technologies
POLY – it is polymorphic
CRYPT – it is encrypted
TUNELL – it tries to find out the original interrupts entrance by means of tunnelling
TSR – it is memory resident
COM – it attacks COM files
EXE – it attacks EXE files
SYS – it attacks SYS files
WINDOWS – it attacks specifically files designed for Windows
WIN95 – it attacks files executable in v PE format
COMPANION – it uses the satellite technique of infection
DRIVER – it is installed to memory as a system controller
BOOT – it attacks Boot sector, occasionally also MBR
MACRO – the file contains macros that are typical for viruses

Specific words are in the characteristic are separated by a full stop.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.

From Kaspersky
What is a heuristic analyzer?

When the number of viruses has exceeded hundreds, the antivirus experts thought about the idea how to detect malicious programs that are unknown to the antivirus programs as there are no corresponding antivirus databases. To rectify the problem a heuristic analyzer has been developed. The heuristic analyzer analyzes the code of the executable files to detect in them new kinds of Malware that is usually not detected by the antivirus databases.

In other words – the heuristic analyzer has been developed to search for unknown viruses. When scanning a program the analyzer emulates its execution and makes protocols of its all “suspicious” actions, e.g. opening or closing a file, intercepting the vectors of interruption, etc. On the account of the protocol the program can be stated as possibly infected.

Thus, about 92% of new viruses are detected by the heuristic analyzer. This mechanism is very effective and rarely leads to false positives. Files that are suspected by the heuristic analyzer to be infected by a virus are called possibly infected or suspicious.

The heuristic analyzer is a part of all antivirus products of Kaspersky Lab. If no known Malware has been detected in a file during the antivirus databases scan, the file is scanned by the heuristic analyzer then.

woai_jolin

原帖由 04m40125 于 2009-8-21 17:25 发表
启发还是不足以防住病毒

说的对 特征码还是防病毒的关键
至于启发 广谱 行为拦截 虚拟行为分析 都属于辅助

lyhong1000

我正在学习中!

其实我觉得最主要的还是从目的看：发现未知病毒。在技术细节上又有什么基因阿行为分析啊什么的~~ 反正我觉得这些能发现未知病毒的技术都可以叫做启发~~ 而且也没必要说什么什么就不是启发~~ 只要他在一定程度上（当然要是太小也不能算）发现未知病毒~~ 就可以算作启发~~ 好像不一样的公司对这个启发的定义也不一样~~

ad5018

学习了

peater

学习了~~~~謝謝